Juniper Junos OS Heap-based Buffer Overflow (JSA69497)

high Nessus Plugin ID 161287

Synopsis

The remote device is missing a vendor-supplied security patch.

Description

An uncontrolled memory allocation vulnerability leading to a heap-based buffer overflow in the packet forwarding engine (PFE) of Juniper Networks Junos OS allows a network-based unauthenticated attacker to flood the device with traffic leading to a Denial of Service (DoS). The device must be configured with storm control profiling limiting the number of unknown broadcast, multicast, or unicast traffic to be vulnerable to this issue.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the relevant Junos software release referenced in Juniper advisory JSA69497

See Also

https://kb.juniper.net/JSA69497

Plugin Details

Severity: High

ID: 161287

File Name: juniper_jsa69497.nasl

Version: 1.2

Type: combined

Published: 5/18/2022

Updated: 5/19/2022

Configuration: Enable paranoid mode

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 4.3

Temporal Score: 3.2

Vector: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS Score Source: CVE-2022-22188

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:o:juniper:junos:*:*:*:*:*:*:*:*

Required KB Items: Settings/ParanoidReport, Host/Juniper/model, Host/Juniper/JUNOS/Version

Exploit Ease: No known exploits are available

Patch Publication Date: 4/13/2022

Vulnerability Publication Date: 4/13/2022

Reference Information

CVE: CVE-2022-22188

IAVA: 2022-A-0162

JSA: JSA69497